[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL Push over S/Mime

To: Trevor Freeman <trevorf@xxxxxxxxxxxxx>
Subject: Re: CRL Push over S/Mime
From: Denis Pinkas <D.Pinkas@xxxxxxxxxxxx>
Date: Fri, 04 Jul 1997 14:06:50 -0700
Cc: Dwight Arthur <dwightarthur@xxxxxxxxxxxxxx>, PKIX List <ietf-pkix@xxxxxxxxxx>
Organization: Bull
References: <>
Reply-to: D.Pinkas@xxxxxxxxxxxx

Trevor Freeman wrote:
> 
> I have been asked to write up a mail based distribution for pkix part
> two.
> I do not understand the reasoning behind using s/mine for
> certificate/crl distribution. The data being distributed is signed. so
> its integrity not in question. Its published data so why do we need
> confidentiality.
> 
> If someone has some insight it would be welcome before I finish the
> work.

I have had a discussion about this with Sharon. For certificates, S/MIME
is not needed at all. For CRLs, S/MIME with a content type of
"SignedData" *may* be useful to counter the thread of the replay of a
previous, but apparently valid CRL.

Let me explain. CRLs are normally issued regularly before the date of
the next publication. In case of emergency a CRL may be issued well
before that date. An attacker could intercept that CRL and replace it by
the previous but yet valid CRL. Unless the response is signed and
incorporates a challenge from the requester, this will not be noticed by
the requester.

Denis

-- 

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas@frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21

References:
- RE: CRL Push over S/Mime
  - From: Trevor Freeman

Prev by Date: Re: Authority Revocation List - cont'd
Next by Date: questions about name constraints extension
Previous by thread: RE: CRL Push over S/Mime
Next by thread: Re: CRL Push over S/Mime
Index(es):
- Date
- Thread